Prerequisites

OpsCenter Lifecycle Manager can configure
DataStax Enterprise clusters to use node-to-node encryption and automates the
process of preparing server certificates using
an internal certificate authority and deploys the resulting keystore and truststore
to each node automatically.

Configure the keystore and truststore, depending on whether you are using local
keystore files or a remote keystore provider. All settings are configured in the
server_encryption_options section of
cassandra.yaml:

Encryption options for of inter-node
communication using the TLS_RSA_WITH_AES_128_CBC_SHA cipher suite for
authentication, key exchange, and encryption of data transfers. Use the
DHE/ECDHE ciphers, such as TLS_DHE_RSA_WITH_AES_128_CBC_SHA if running
in (Federal Information Processing Standard) FIPS 140 compliant
mode.

store_type

Valid types are JKS, JCEKS, PKCS12, or PKCS11.

Default: commented out (JKS)

keystore

Relative path from DSE installation directory or absolute path to the Java
keystore (JKS) suitable for use with Java Secure Socket Extension (JSSE),
which is the Java version of the Secure Sockets Layer (SSL), and Transport
Layer Security (TLS) protocols. The keystore contains the private key used
to encrypt outgoing
messages.

Default: resources/dse/conf/.keystore

keystore_password

Password for the keystore. This must match the password used when generating
the keystore and
truststore.

Default: cassandra

require_client_auth

Whether to enable certificate authentication for node-to-node (internode)
encryption. When not set, the default is
false.

Default: commented out (false)

require_endpoint_verification

Whether to verify the connected host and the host name in the certificate
match. When not set, the default is false.